ps/Modules/Alkami.DevOps.SystemEngineering/Public/Write-AlkamiSecretResourcePolicy.tests.ps1

. $PSScriptRoot\..\..\Load-PesterModules.ps1
$here = Split-Path -Parent $MyInvocation.MyCommand.Path
$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.tests\.', '.'
$global:functionPath = Join-Path -Path $here -ChildPath $sut

InModuleScope -ModuleName Alkami.DevOps.SystemEngineering -ScriptBlock {
    Write-Host "InModuleScope - Overriding SUT: $global:functionPath"
    Import-Module $global:functionPath -Force
    $inScopeModule = "Alkami.DevOps.SystemEngineering"

    Describe "Write-AlkamiSecretResourcePolicy" {

        Mock -CommandName Get-LogLeadName                      -ModuleName $inScopeModule -MockWith { return 'Write-AlkamiSecretResourcePolicy.tests' }
        Mock -CommandName Get-AWSRegion                        -ModuleName $inScopeModule -MockWith { return @( @{ 'Region' = 'us-east-1' } ) }
        Mock -CommandName Import-AWSModule                     -ModuleName $inScopeModule -MockWith {}
        Mock -CommandName Get-AlkamiSecretResourcePolicyString -ModuleName $inScopeModule -MockWith { return '' }
        Mock -CommandName Write-SECResourcePolicy              -ModuleName $inScopeModule -MockWith {}

        Context "Parameter Validation" {

            It "Throws if SecretName Is Null" {
                { Write-AlkamiSecretResourcePolicy -SecretName $Null } | Should -Throw
            }

            It "Throws if SecretName Is Empty" {
                { Write-AlkamiSecretResourcePolicy -SecretName '' } | Should -Throw
            }

            It "Throws if ProfileName Is Null" {
                { Write-AlkamiSecretResourcePolicy -SecretName 'Test' -ProfileName $null } | Should -Throw
            }

            It "Throws if ProfileName Is Empty" {
                { Write-AlkamiSecretResourcePolicy -SecretName 'Test' -ProfileName '' } | Should -Throw
            }

            It "Throws if Region Is Not In Allowable List" {
                { Write-AlkamiSecretResourcePolicy -SecretName 'Test' -ProfileName 'temp-test' -Region 'Test' } | Should -Throw
            }
        }

        Context "Logic" {

            It "Uses Supplied Extra ARNs When Building Resource Policy" {

                Write-AlkamiSecretResourcePolicy -SecretName 'Test' -ProfileName 'temp-test' -Region 'us-east-1' `
                                                 -SecretAccessExtraArns @('TestArn')

                Assert-MockCalled -ModuleName $inScopeModule -CommandName Get-AlkamiSecretResourcePolicyString -Times 1 -Exactly -Scope It `
                                  -ParameterFilter { $SecretAccessExtraArns[0] -match "TestArn" }
            }

            It "Applies Resource Policy to Secret" {

                Write-AlkamiSecretResourcePolicy -SecretName 'Test' -ProfileName 'temp-test' -Region 'us-east-1' `
                                                 -SecretAccessExtraArns @('TestArn')

                Assert-MockCalled -ModuleName $inScopeModule -CommandName Write-SECResourcePolicy -Times 1 -Exactly -Scope It `
                                  -ParameterFilter { $SecretId -ceq "Test" }
            }
        }
    }
}